The present invention, in some embodiments thereof, relates to malicious activity detection and/or prevention and, more specifically, but not exclusively, to systems and methods of malicious activity detection and/or prevention based on host and/or environment parameters monitoring.
Conventional anti-virus (AV) applications attempt to prevent harmful or malicious transmissions such as viruses and worms from infiltrating a computing device. Typically, such applications operate on a network gateway or host and monitor incoming traffic. Conventional AV applications, whether server or host based typically rely on a so-called fingerprint matching implementation. Such a fingerprint matching mechanism aggregates a set of unique indicators, or signatures, exhibited by known malicious transmissions. The unique indicators typically represent portions of files which a particular AV vendor has previously identified as malicious, such as a signature extracted from a particular byte range in the file, or a hash computed over a predetermined portion of a file. The result is a signature value substantially shorter that the entity (file) it represents yet which has a high likelihood of matching a signature computed from another similar instance of the file. A set of signatures of known malicious transmissions is readily comparable to an incoming transmission to determine malicious content in the incoming transmission.
During the last years system and methods for integration of behavioral and signature based security have been developed. For example, U.S. Pat. No. 7,694,150 describes a behavioral based (subject) approach addresses the so-called “day zero” problem of object matching approaches. An integrated approach combines the behavioral remedy against unknown transmissions with the signature matching of known harmful transmission to provide the reliability and stability of signature based approaches with the real time responsiveness of the behavioral approach. A behavior monitoring module analyzes actions via behavioral heuristics indicative of actions performed by known harmful transmissions. The behavioral monitoring correlates the actions performed to determine an undesirable object. A signature generator computes a real time signature on the suspect object. The signature generator accumulates successive real time signatures in this manner for comparison with subsequent incoming transmissions, thus combining the subject based behavioral aspects of virus detection with the deterministic aspects of the object approach.